How To Use Awareness Training and GDPR Training for Security Policy Compliance and Staff Awareness

Gillian Loones
By: Gillian Loones Awareness training | 5 May

Although the GDPR has been around for some time now, many organisations are still figuring out the best way to provide GDPR training and increase staff awareness of security issues. The GDPR has training requirements, which make it necessary for staff to receive some awareness training. Still, there are many ways to implement GDPR awareness training for employees: it could be online, in person, or a mix of the two, and there are tons of topics to potentially cover. In this blog post, we discuss why awareness training is important for both GDPR compliance and organisational security, and we break down how staff awareness training can help you achieve compliance with the GDPR and other cyber security frameworks.

 

Table of contents

 

GDPR training can fill gaps in knowledge

The GDPR was introduced by the EU in May 2018 to better inform consumers about how their personal data is used and to enforce better data handling and protection in organisations.

As a result, the GPDR introduced many rules regarding the handling of personal data and the prevention of security breaches, aligned within 7 principles for data protection. These rules are enforced under the threat of large monetary fines for noncompliant organisations.

Even though working with the GDPR has become normal now, it's common to be unsure of what you need to do in your organisation to be compliant. For instance, the roles of data processors and controllers, how to handle data transfers outside of the EU, and even what qualifies as personal data can be tricky to navigate.

 

Risk

GDPR training for employees makes security everyone's job

Data security is the job of everyone within an organisation, not just the IT team. It’s also a topic that companies both large and small should take seriously. But most employees don’t have a lot of free time to study the GDPR. That’s why GDPR training for employees is an important part of building a secure and aware organisation. Through GDPR awareness training you can, among other things, help your staff know how to deal with data on a day-to-day basis and bring your organisation closer towards achieving GDPR compliance.

 

Common GDPR training topics

When it comes to the GDPR and IT security, there is a lot that your team should be familiar with. For example, personal data is a popular topic for GDPR training courses because it is something that remains confusing for many employees. Proper handling of personal data is really important for all employees to understand, as mishandling of personal data is involved in many of the most common GDPR breaches.

A few other topics to cover in your GDPR awareness training could be:

You are also welcome to review our course catalogue, where you can find examples of awareness training courses that we currently offer. What’s important is that security knowledge rests not just in the IT department, but that the rest of the staff in your organisation are aware as well. However, it can be difficult for staff to keep up with data regulations on their own. To illustrate the importance of this, let us look at what could happen when safe data handling practices are not well understood.

 

Most security breaches are due to human error, but they don’t have to be

A security breach generally means that some or all personal data that is handled in the organisation is, accidentally or maliciously, released outside of the organisation. It could happen, for example, when an employee clicks a phishing email, accidentally downloads malware or ransomware, sends personal data to the wrong recipient via email, or uses an unsafe public Wi-Fi connection.

When people think about security breaches, they usually think about malicious, expert hackers attacking the organisation’s IT systems and stealing data.

However, often security breaches happen due to human error. This problem has two sides. On one hand, people might make mistakes or handle data trivially because they lack knowledge about the importance of safe data handling practices. For example:

  • An email is sent to the wrong person

  • Data is displayed to unauthorized persons

  • Data is left unattended

  • Wrong access is granted

  • Data is stored incorrectly

  • A device is stolen or shared

  • Documents with information are printed incorrectly and/or may be forgotten

On the other hand, when people lack security awareness, they are more susceptible to cyber attacks. This is because most hacking attacks try to exploit humans instead of IT systems. Thus, they are more likely to fall prey to social engineering attacks, like those used in phishing emails, that may lead to a data breach. That’s why training employees to recognize the signs of phishing emails is so important.

 

Technical tools can't stand on their own

Technical cybersecurity remains a vital part of keeping your organisation safe. Various technical tools, like mobile device management or SEIM and log management, can be used to reduce the risk of security incidents. A few other technical solutions include:

different technical security measures displayed on a computer screen

However, while technical tools certainly succeed at being very complex, they are not 100% effective at keeping out all threats. They are only half the battle and cannot improve:

  • Staff behaviour: e.g., a firewall won’t prevent staff from granting access to data to the wrong people.

  • Unclear processes when it comes to handling personal data.

  • Lack of knowledge about cybersecurity.

These are things that only the staff themselves can fix and prevent. And luckily, all staff are easily capable of this, given the right tools and training.

Your strongest defence against security incidents is a comprehensive awareness among all staff combined with clear processes for handling data. This is why it is crucial to increase awareness through GDPR training.

 

GDPR awareness training: turning your team into your strongest defence

Awareness training is one of the tools your organisation can use to greatly improve your team’s knowledge about cybersecurity and safe data handling. It’s also needed to be GDPR compliant:

  • Article 39 requires that your data protection officer raises awareness and provides training to staff who are involved in data processing.

  • Article 43 requires that staff who have permanent or regular access to personal data receive data protection training.

As we discussed earlier in this blog post, personal data can be complicated. You cannot expect that all staff are experts in the GPDR. Therefore, a GDPR training program that regularly provides staff with clear, simple, and practical explanations and examples about how to safely handle personal data can be of great help in improving staff behaviours.

Furthermore, when people are aware of the dangers that cybercriminals pose, they are more likely to detect phishing attacks and less likely to make other errors, such as storing data incorrectly or for too long.

Next to awareness about cybersecurity and the importance of safe data handling, staff also need to be aware of the specific processes and responsibilities regarding information security in your organisation. Simply put, it is the task of the IT department and the management team to set up clear processes that staff can follow and to appoint people who staff can contact with questions about the GDPR and information security. This could be, for example, your Data Protection Officer. Both an IT Security Policy and an Acceptable Use Policy are documents where these kinds of processes can be described.

The organisation needs to establish:
  • Clear data handling processes to ensure staff always act with information security in mind

  • A person responsible for GDPR and information security who can help staff and acts as a central point of contact regarding security incidents

The staff need to be aware of:
  • Cybersecurity and the dangers of cybercriminals

  • The data handling processes in the organisation and the GDPR

  • The importance of reporting potential security incidents and seeking help from the person responsible for GDPR when they have any uncertainties or suspicions

 

Awareness training helps you meet GDPR training requirements and other cybersecurity certifications

Making sure that your company is GDPR compliant is top of mind for most organisations, and there are several frameworks that organisations use to help them maintain and document GDPR compliance. For example, some are industry-specific, and others are country-specific. Not all cybersecurity frameworks ensure GDPR compliance, but some of the frameworks’ requirements overlap with the GDPR and many frameworks require awareness training.

Below, you can see a few of the additional cybersecurity frameworks that organisations are using in their GDPR work and how awareness training fits into each of them.

Framework: ISO 27701
Description An extension of ISO 27001, which is an international standard for information security practices. ISO 27701 has additional requirements regarding personal data that ensure GDPR compliance
Awareness Training Requirement Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training
Framework: ISAE 3000 GDPR
Description A specific version of the ISAE 3000 that includes GDPR requirements for compliance. Depending on the amount of personal data your organisation processes, you would comply with either ISAE 3000 High (for high levels of personal data) or ISAE 3000 low (for low levels of personal data)
Awareness Training Requirement Requires the relevant training of personnel
Framework: CIS (Center for Internet Security Critical Security Controls)
Description Best practice guidelines for computer security with a list of actions organisations should take to prevent attacks
Awareness Training Requirement Control 14 requires a security awareness program to be created and maintained
Framework: ISO 27001 and 27002
Description International standard with best practice guidelines for information security management systems
Awareness Training Requirement Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training
Framework: NIST
Description U.S. based framework with information security guidelines that organisations that do business with the U.S. federal government must comply with
Awareness Training Requirement To comply, an organisation’s managers, systems administrators, and systems users must be aware of security risks. Awareness training should cover how to recognize and report threats
Framework: CMMC
Description Soon to replace NIST in the U.S. Used for entities doing business with the U.S. government
Awareness Training Requirement There are several levels for compliance. Levels 2 and above, which indicate a minimum intermediate cyber hygiene, require awareness training
Framework: ISRS 4400
Description Similar to ISAE 3000, but the ISRS 4000 is based only on the criteria that the auditor is asked to verify
Awareness Training Requirement

Requires the relevant training of personnel

 

GDPR awareness training can be implemented in a variety of ways

Getting started with awareness training is easier than you might think. It all comes down to giving people knowledge about personal data and cybersecurity in a way that they can easily understand and remember.

That’s why it’s a good idea to transfer this knowledge in multiple ways and through multiple channels, to really make awareness about cybersecurity present in everyone’s mind.

You could, for example, combine GDPR training online with classroom learning. E-learning can help you achieve a certain continuity and encourage staff to learn at their own pace. Classroom learning can facilitate the exchange of ideas and put knowledge into practice.

There are many possibilities for organising a good awareness training programme. Here, we have put together some tips for creating a training programme that your employees will enjoy. You can get pretty creative if you want to, for example with the use of gamification elements.

 

Different methods of GDPR awareness training

A few examples of GDPR training formats are:

Online GDPR training: Short e-learning modules consisting of videos, text, quizzes, and more.

Classroom learning: Longer sessions given by an instructor. This can encourage discussion or give you the opportunity to invite an expert.

Simulations: Phishing and other cybersecurity simulations give people the opportunity to practice their knowledge in realistic security incident situations.

Workshops: For example, a workshop where staff can place themselves in the shoes of a cybercriminal and learn to understand how a cybercriminal thinks.

Freely available online material: There are many learning sources and other materials available online for free. This ranges from YouTube videos to government campaigns to posters and diagrams you can hang up around the office.

For example, the European Union Agency for Cybersecurity (ENISA) has free materials to promote IT security. Additionally, the United States National Cyber Security Alliance (NCSA) has a free video series that you can share with your employees.

Group activities & games: These can be in a variety of formats, for example an escape room or a Cluedo-like scenario where the team must figure out how and by whom the company was infiltrated.

 

GDPR training for employees increases security awareness and helps you stay GDPR compliant

Aside from what we’ve already mentioned, there are many possibilities for organising awareness training. You can choose the formats that best fit your organisational needs, and measure the effect of the training on your employees. A good awareness training program is one that staff do not see as a burden, but one they may even look forward to.

Successfully applying awareness training techniques results in staff that are intuitively aware of what they need to do in their own daily workflow to comply with the GDPR, while also improving the general cybersecurity in the organisation. In the end, staff who are aware might just turn out to be your strongest line of cyber defence!